Offensive Cybersecurity Final Draft

docx

School

American Public University *

*We aren’t endorsed by this school

Course

240

Subject

Information Systems

Date

Oct 30, 2023

Type

docx

Pages

Uploaded by anhp0911

1 Offensive Cybersecurity for a Safer Future Times have changed drastically over the last couple of decades. If you think back 20 years ago, many people would not even fathom the advancements in technology nor the dependency that comes along with those advancements. Technology has done wonderful things for society, but like everything else, someone is out to exploit and do harm. Cybersecurity is a

2 profession that has flourished within the last decade because of the increased exploitation in the industry. As cybersecurity has become more and more prevalent in society, so has the ethics surrounding it. Some argue that it should only be defensive and act when attacked, but sometimes that’s too late. Offensive cybersecurity is moderately practiced because of the caveats placed by the government and other entities, and it is something that should be discussed moving forward as attacks have become more heinous. They have targeted personal data, medical information, and financial information that only a few have access to. “Both researchers and designers respectively have the same goals: maintain the privacy, integrity, and accessibility of information through the cyber defense systems against both internal and external threats,” (Aiyanyo, 2020, pg.5812). Firms must make it a priority to work with government entities to ensure safe offensive attacks moving forward. It is crucial that cybersecurity companies work with the government, and the people to establish a strong foundation with established guidelines, protocols, and consequences for offensive cybersecurity practices. Over the course of the last 20 years, technology has improved drastically for the better. We have medical advancements, changed the way we communicate across the world and even fully integrated the personal computer with practically every household in the world. It wasn’t long before people caught on and realized that they could exploit all this new technology and steal people’s personal information. It didn’t stop there, they soon realized they could exploit on larger scales targeting financial institutions, Wall Street, and even the government. The pertinent data they could potentially obtain access to is priceless and they knew it. Because of this need to exploit, companies had to find a way to protect themselves, cybersecurity profession was born. Since the 1970’s the cat-and-mouse game between those aiming to protect and those aiming to exploit has gone on. “Ray Tomlinson, the inventor of email, wrote the program Reaper, which

3 chased and deleted Creeper. Reaper was the very first example of antivirus software and the first self-replicating program, making it the first-ever computer worm.” (Davies, 2021, para.3). In the 1990s the internet became available to the public and things truly took a turn. The need for security protocols, firewalls, and even antivirus programs became an absolute necessity. It wasn’t until the 2000s era that we saw massive crime organizations fund cybersecurity attacks against governments and financial institutions. Cybersecurity saw tremendous growth during this time, but so did the people looking to exploit. Fast forward to 2021, the cybersecurity industry has reached record-breaking levels. The global market security market size is forecast to grow to 345.4 Billion dollars by 2026. (Davies, 2021, para.7). Cybersecurity’s growth over the last 20 years has been exponential and only continues to grow as threats become more and more credible. As every year passes and cybersecurity becomes a more and more widespread practice people must understand defensive vs offensive strategies. The network kings are a widely known blog in the industry and they classify each differently. (Surbhi, 2023,) define defensive cybersecurity as “Defensive security refers to protecting computer systems and networks from attack by identifying and mitigating vulnerabilities and implementing measures to prevent or detect unauthorized access or activity,” (pg.3). They define offensive security as the practice of actively attacking and exploiting computer systems and networks to test their defenses and identify vulnerabilities.” (Surbhi, 2023, pg.4). The differences are clear, and the uses are very different yet people continue to see offensive attacks as inherently evil and following no structure. Cybersecurity experts who take a more defensive stance, do so by monitoring, analyzing, and fixing potential system breaches or vulnerabilities within their systems. They are constantly monitoring, constantly ensuring all security patches and updates are done, and

Your preview ends here

Eager to read complete document? Join bartleby learn and gain access to the full version

Access to all documents
Unlimited textbook solutions
24/7 expert homework help

4 dedicate themselves toward maintaining firewalls, internal protocols, and other regulatory systems in place to mitigate the fallout should an attack be successful. While these systems work, many are seeing the benefits of offensive security. Maryville University for example has created a program tailored to the three different tracks of cybersecurity. They teach an offensive approach, that is unique for the field. (Maryville, 2023) tech team described their system as “An offensive cybersecurity track that puts students in the shoes of a cyber attacker who wants to exploit a system. Rather than relying on pure analysis and reacting to findings with preventive measures, offensive cybersecurity uses ethical hacking techniques to mimic cyber-attacks. This method exploits security vulnerabilities and can eliminate the guesswork of what may happen during an attack,” (para.9). The idea behind both offensive and defensive is the same, protect the information at all costs. The difference is that one is proactive vs a retroactive practice, the need for each type is determined by the needs of each business. The use of defensive cybersecurity has been going on for decades. CISA which is the Cybersecurity & Infrastructure Security Agency has guidelines and handbooks dedicated to defensive practices. According to the Department of Defense and CISA handbooks, companies should have, “A cybersecurity architecture that increases mission effectiveness and enables cyber protection efforts includes well-defined network boundaries, appropriate access controls, and carefully managed interconnections, to name just a few elements. Key network defense considerations include active monitoring, automation, reliable detection, and proper procedures and resources to respond to incidents. Developing good tactics, techniques, and procedures to stop, mitigate, and respond effectively to network incidents is a fundamental aspect of defensive network operations.” (DOD, 2022, pg.17). Everything mentioned is defensive and designed to

5 stop problems once they reach the network, but what about stopping those attacks from even reaching the network? Offensive attacks are designed, and specific to counter known and credible threats against any organization. It hasn’t been until recently that offensive attacks are being seen as more credible. President Biden took steps in this direction in 2021, when he handed Vladimir Putin a list of 16 areas of U.S. infrastructure that should be “off limits to attack, period.” Biden subsequently told the press: “I pointed out to him that we have significant cyber capability. And he knows it. He doesn’t know exactly what it is, but it’s significant. And if they violate these basic norms, we will respond with cyber.” (Pendino, 2022, pg.2). The commander-in-chief is letting people know that offensive attacks are credible and imminent should they choose to attack certain areas of United States infrastructure. While this is great and does wonders to advance the credibility and necessity of offensive cybersecurity more must be done. The United States along with President Biden must establish rules, guidelines, and protocols to make offensive cybersecurity a more accepted practice. Experts want to say that it’s uncharted territory and that we don’t have regulations, but even physical war has the Geneva Convention and articles of war dictating what’s accepted and unacceptable during times of war. An expert in the field Stephanie Pendino recently wrote an article for an academic journal titled U.S. Cyber Deterrence: Bringing Offensive Capabilities into the Light. She said, “The first step is the identification of intolerable malicious cyber activities that the United States would classify as “out of bounds,” for example: stealing intellectual property to benefit private industry, targeting the finances of innocent citizens, covertly influencing democratic elections, shutting down infrastructure to cause human suffering, or (except in the context of open war) degrading critical military capabilities. It follows logically that there are “in-bounds” malicious cyber activities, such as cyber espionage against government networks, which may warrant a response

6 but do not “break the rules” in the same way as the red lines.” (Pendino, 2022, pg.3). This is very important because it establishes the rules and guidelines for practicing offensive cybersecurity something that to this day is missing. This would give cybersecurity firms a firm grasp on what can and can’t be done, but allow them to go on the offensive to even further deter those that aim to exploit the current infrastructure. Establishing the aforementioned guidelines for offensive cybersecurity is crucial to its successful implementation. The next important thing to highlight is the types of offensive attacks and how they work with international law and governments. This gives offensive attacks further established guidelines to follow making the line between acceptable and too far even more visible. Currently, an offensive cybersecurity attack is seen as a use of force, but the lines are blurred. One type of offensive cybersecurity attack would be to freeze assets or impose economic sanctions on someone. A recent publication by Herbert S. Lin in the Journal of National Security Law & Policy talked about this concept of sanctions. (Lin, 2016) stated, “Under international law, economic sanctions appear not to constitute a use of force, even if they result in death and destruction on a scale that would have constituted a use of force if they were caused by traditional military forces, although this interpretation is often questioned by the nation targeted by the sanctions.” (p.80). These are the types of guidelines that need to be implemented, too much gray area exists. If cybersecurity firms, governments, and experts like Herbert S. Lin were to create guidelines and established rules to follow then attacks like these where economic sanctions are imposed and assets of known criminals are frozen to prevent further cybersecurity attacks, then offensive cybersecurity could be seen as more viable and given much more credibility.

Your preview ends here

Eager to read complete document? Join bartleby learn and gain access to the full version

Access to all documents
Unlimited textbook solutions
24/7 expert homework help

7 One more caveat they must detail is the difference between cyber exploitation and cyber- attacks. They are often misconstrued, creating more gray areas and making it more difficult to understand what’s acceptable and what is not. Herbert Lin, an expert in this field, talks about this often. He stated, “The first challenge is the technical similarity between cyber-attack and cyber exploitation. Although cyber-attacks and cyber exploitation are conducted with very different intents, the latter can easily be mistaken for the former. This potential ambiguity has consequences both from the perspective of the targeted party (the adversary) and from that of the U.S. policymaker.” (Lin, 2016, pg.82). Cyber exploitation is what’s currently seen as ok, it’s offensive to an extent. It’s gaining access to a user's network without them noticing. They never know you looked at the information and never suspect anything more than an intrusion. This is not the offensive cybersecurity that is needed which is why it's important to differentiate. Offensive cybersecurity is a direct attack that is aimed to ruin a threat’s network, freeze assets, or wipe their data completely, it’s an attack that has the potential to do serious damage to any threat. The successful implementation of offensive cybersecurity practices rides on these nuances being cleared and identified so that clear-cut protocols and guidelines can be implemented. It’s only with these guidelines and acceptable practices that the rest of the cybersecurity world will agree and back the use of attacks from an offensive standpoint. We must become an offensive powerhouse willing to attack those deemed as credible threats to safeguard our data and livelihoods. A unified front from experts, cybersecurity firms, and the government is necessary to stop outside forces and criminals from exploiting organizations and stealing vital financial and personal data as well as data about the infrastructure of the United States of America. The reality of the situation is we are dependent on technology today and going into the future. The further

8 we advance with technology, the greater the likelihood that someone seeks to exploit and steal our important data. Being on the offensive and able to attack first to stop attacks from happening is vital. Max Smeets, a cybersecurity fellow from Stanford University, recently wrote a paper highlighting the need for offensive operations. He wrote, “Offensive cyber operations could provide significant strategic value to state actors. The availability of offensive cyber capabilities expands the options available to state leaders across a wide range of situations. Offensive cyber capabilities can be both an important force multiplier for conventional capabilities as well as an independent asset.” (Smeets, 2018, pg.92). This is exactly why experts in the field continue to reiterate the need for guidelines, protocols, and well-structured articles on what offensive attacks are viable and which ones are unethical. The Department of Defense already has guidelines in place for defensive cybersecurity, it’s time they do the same for offensive cybersecurity and make offensive cybersecurity a viable deterrent and safeguard into the future. References Aiyanyo, I. D., Samuel, H., & Lim, H. (2020). A Systematic Review of Defensive and Offensive

9 Cybersecurity with Machine Learning. Applied Sciences , 10 (17), 5811. MDPI AG. Retrieved from http://dx.doi.org/10.3390/app10175811 Davies, V. (2021, October 4). The history of Cybersecurity. Cyber Magazine. https://cybermagazine.com/cyber-security/history-cybersecurity DOD Enterprise DevSecOps strategy guide - U.S. Department of Defense. (n.d.-a). https://dodcio.defense.gov/Portals/0/Documents/Library/DoD%20Enterprise %20DevSecOps%20Strategy%20Guide_DoD-CIO_20211019.pdf Lin, H. S. (n.d.). Offensive Cyber Operations and the Use of Force. Journal of NationalSecurity Law & Policy , 4 (63), 63–86. Smeets, M. (2018, October). The Strategic Promise of Offensive Cyber Operations – Air University. https://www.airuniversity.af.edu/Portals/10/SSQ/documents/Volume- 12_Issue-3/Smeets.pdf Surbhi. (2023, July 21). Offensive security vs defensive security - explained (2023) . Network Kings. https://www.nwkings.com/offensive-security-vs-defensive-security U.S. cyber deterrence: Bringing offensive capabilities into the light . Joint Forces Staff College. (2022, September 7). https://jfsc.ndu.edu/Media/Campaigning-Journals/Academic- Journals-View/Article/3149856/us-cyber-deterrence-bringing-offensive-capabilities-into- the-light/ What are general, defensive, and offensive cybersecurity tracks? Maryville Online. (n.d.).

Your preview ends here

Eager to read complete document? Join bartleby learn and gain access to the full version